Loading ...
Sorry, an error occurred while loading the content.
 

Unexpected sender lookups

Expand Messages
  • Geoff Shang
    Hi, My second query. We have a mail scanner which receives outside mail from our MX and submitted mail from customers, scans it for spam and viruses, and
    Message 1 of 2 , Mar 8, 2013
      Hi,

      My second query.

      We have a mail scanner which receives outside mail from our MX and
      submitted mail from customers, scans it for spam and viruses, and either
      delivers it to customers or sends it out to the world via the MX. This
      means that all mail is relayed, the machine has no direct access to the
      outside world.

      In testing our setup, I've noticed that both relay_domains and
      relay_recipient_maps are checking the fqdn/domain/tld and sending address
      respectively, as well as the recipient domain and address. As these
      details are in LDAP, the LDAP server is getting hammered with a
      significant number of unnecessary lookups.

      I don't understand why this is happening. My reading of the Postfix
      documentation is that these lookups should not be checking any sender
      information.

      The only places where LDAP is referenced are relay_domains,
      relay_recipient_maps and transport_maps. I thought maybe the
      transport_maps were to blame, but I tried disabling each in turn and
      replacing it with file-based lookups, and it's clear that transport_maps
      is not doing this and the others are.

      Here's a log of the kinds of lookups I'm talking about. There should only
      be example.com-related lookups:

      SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
      filter="(o=mx.ourdomain.com)" attr=o
      SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
      filter="(o=.ourdomain.com)" attr=o
      SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
      filter="(o=.com)" attr=o
      SRCH base="o=mx.ourdomain.com,ou=mail,dc=ourdomain,dc=com"
      scope=2 deref=0 filter="(mail=geoff@...)"
      attr=mail
      SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
      filter="(o=example.com)" attr=o
      SRCH base="o=example.com,ou=mail,dc=ourdomain,dc=com" scope=2 deref=0
      filter="(mail=test099999@...)" attr=mail
      SRCH base="o=example.com,ou=mail,dc=ourdomain,dc=com" scope=2 deref=0
      filter="(mail=test099999@...)" attr=mail
      SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
      filter="(o=mx.ourdomain.com)" attr=o
      SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
      filter="(o=.ourdomain.com)" attr=o
      SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
      filter="(o=.com)" attr=o
      SRCH base="o=mx.ourdomain.com,ou=mail,dc=ourdomain,dc=com"
      scope=2 deref=0 filter="(mail=geoff@...)"
      attr=mail
      SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
      filter="(o=example.com)" attr=o
      SRCH base="o=example.com,ou=mail,dc=ourdomain,dc=com" scope=2 deref=0
      filter="(mail=test099999@...)" attr=mail
      SRCH base="ou=mail,dc=ourdomain,dc=com" scope=1 deref=0
      filter="(o=example.com)" attr=o
      SRCH base="o=example.com,ou=mail,dc=ourdomain,dc=com" scope=2 deref=0
      filter="(mail=test099999@...)" attr=mail

      The searches on the "o" atribute are relay_domain lookups and the "mail"
      atribute lookups are from relay_recipient_maps.

      I'm using postfix 2.7.1 (Debian stable). Any ideas how to prevent this?

      The postfix config is not set in stone yet and I mean to tidy it up some.
      But here's how it looks right now:

      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      append_dot_mydomain = no
      biff = no
      broken_sasl_auth_clients = yes
      config_directory = /etc/postfix
      content_filter = amavisfeed:[127.0.0.1]:10024
      html_directory = /usr/share/doc/postfix/html
      inet_interfaces = all
      inet_protocols = ipv6,ipv4
      mailbox_size_limit = 0
      mydestination = scanner.ourdomain.com, localhost
      myhostname = scanner.ourdomain.com
      myorigin = /etc/mailname
      readme_directory = /usr/share/doc/postfix
      recipient_delimiter = +
      relay_domains = proxy:ldap:/etc/postfix/ldap-domains.cf ourdomain.com
      relay_recipient_maps =
      proxy:pgsql:/etc/postfix/pgsql_corporate_recipients.cf
      proxy:ldap:/etc/postfix/ldap-users.cf
      relayhost = mx.ourdomain.com
      smtp_destination_concurrency_limit = 100
      smtp_helo_timeout = 30s
      smtp_tls_ciphers = high
      smtp_tls_loglevel = 1
      smtp_tls_mandatory_ciphers = high
      smtp_tls_mandatory_exclude_ciphers = RC4,MD5
      smtp_tls_note_starttls_offer = yes
      smtp_tls_protocols = !SSLv2,!SSLv3
      smtp_tls_security_level = encrypt
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      smtpd_banner = $myhostname ESMTP Atari/64
      smtpd_client_connection_count_limit = 5
      smtpd_client_connection_rate_limit = 10
      smtpd_error_sleep_time = 0
      smtpd_hard_error_limit = 10
      smtpd_helo_required = yes
      smtpd_helo_restrictions = permit_mynetworks, warn_if_reject
      reject_non_fqdn_hostname, reject_invalid_hostname
      smtpd_recipient_limit = 100000
      smtpd_recipient_restrictions = permit_mynetworks,
      permit_sasl_authenticated, check_client_access
      hash:/etc/postfix/access check_recipient_access
      hash:/etc/postfix/recipient_access check_sender_access
      hash:/etc/postfix/sender_access reject_unauth_destination,
      warn_if_reject reject_unknown_sender_domain, warn_if_reject
      reject_unauth_pipelining, warn_if_reject
      reject_unknown_recipient_domain, warn_if_reject reject_non_fqdn_recipient,
      warn_if_reject reject_unknown_hostname, warn_if_reject
      reject_non_fqdn_hostname, warn_if_reject reject_unknown_client,
      warn_if_reject reject_invalid_hostname, warn_if_reject
      reject_non_fqdn_sender
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_local_domain =
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_type = cyrus
      smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
      warn_if_reject reject_non_fqdn_sender, warn_if_reject
      reject_unknown_sender_domain
      smtpd_soft_error_limit = 5
      smtpd_timeout = 30s
      smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
      smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
      smtpd_tls_loglevel = 1
      smtpd_tls_received_header = yes
      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      smtpd_use_tls = yes
      transport_maps = proxy:pgsql:/etc/postfix/pgsql_corporate_recipients.cf
      proxy:ldap:/etc/postfix/ldap-users.cf
      unknown_local_recipient_reject_code = 550

      The LDAP configs are the same as in the other shtread, but there they are
      for reference.

      /etc/postfix/ldap-domains.cf:

      version = 3
      timeout = 20
      size_limit = 1
      expansion_limit = 1
      start_tls = no
      tls_require_cert = no
      scope = one
      query_filter = o=%s
      result_attribute = o
      server_host = ldap://ldap-server.ourdomain.com
      search_base =ou=mail,dc=ourdomain,dc=com

      /etc/postfix/ldap-users.cf:

      version = 3
      timeout = 20
      size_limit = 1
      expansion_limit = 1
      start_tls = no
      tls_require_cert = no
      scope = sub
      query_filter = mail=%s
      result_attribute = mail
      server_host = ldap://ldap-server.ourdomain.com
      search_base =o=%d,ou=mail,dc=ourdomain,dc=com

      # The return value is only used in a transport map (i.e. on our scanner)
      result_format = lmtp:[imap.ourdomain.com]:24
    • Viktor Dukhovni
      ... The sender will always be checked against relay_domains, as a side-effect of determining whether the sender domain is local , which is required to
      Message 2 of 2 , Mar 8, 2013
        On Fri, Mar 08, 2013 at 06:02:35PM +0200, Geoff Shang wrote:

        > In testing our setup, I've noticed that both relay_domains and
        > relay_recipient_maps are checking the fqdn/domain/tld and sending
        > address respectively, as well as the recipient domain and address.

        The sender will always be checked against relay_domains, as a
        side-effect of determining whether the sender domain is "local",
        which is required to transform the address into internal form
        in various cases.

        I am not aware of any cases in which the sender is passed through
        relay_recipient_maps unless you have "reject_unlisted_sender"
        somewhere in your configuration or are doing sender-address-verification.

        > As these details are in LDAP, the LDAP server is getting hammered
        > with a significant number of unnecessary lookups.

        Index your LDAP tables to support all the required queries without
        table scans. Postfix imposes a small load on a well configured LDAP
        server.

        --
        Viktor.
      Your message has been successfully submitted and would be delivered to recipients shortly.